From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 16 Sep 2018 13:40:00 +0000 (+0200)
Subject: 4.18-stable patches
X-Git-Tag: v4.18.9~25
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2a7cc7904cb5408fdb120136cf91939a4349c290;p=thirdparty%2Fkernel%2Fstable-queue.git

4.18-stable patches

added patches:
	switchtec-fix-spectre-v1-vulnerability.patch
---

diff --git a/queue-4.18/series b/queue-4.18/series
index ffc6dc7bf43..23c9da62b7a 100644
--- a/queue-4.18/series
+++ b/queue-4.18/series
@@ -38,3 +38,4 @@ x86-microcode-make-sure-boot_cpu_data.microcode-is-up-to-date.patch
 x86-microcode-update-the-new-microcode-revision-unconditionally.patch
 x86-process-don-t-mix-user-kernel-regs-in-64bit-__show_regs.patch
 x86-apic-vector-make-error-return-value-negative.patch
+switchtec-fix-spectre-v1-vulnerability.patch
diff --git a/queue-4.18/switchtec-fix-spectre-v1-vulnerability.patch b/queue-4.18/switchtec-fix-spectre-v1-vulnerability.patch
new file mode 100644
index 00000000000..f8b897793c1
--- /dev/null
+++ b/queue-4.18/switchtec-fix-spectre-v1-vulnerability.patch
@@ -0,0 +1,55 @@
+From 46feb6b495f7628a6dbf36c4e6d80faf378372d4 Mon Sep 17 00:00:00 2001
+From: "Gustavo A. R. Silva" <gustavo@embeddedor.com>
+Date: Thu, 16 Aug 2018 14:06:46 -0500
+Subject: switchtec: Fix Spectre v1 vulnerability
+
+From: Gustavo A. R. Silva <gustavo@embeddedor.com>
+
+commit 46feb6b495f7628a6dbf36c4e6d80faf378372d4 upstream.
+
+p.port can is indirectly controlled by user-space, hence leading to
+a potential exploitation of the Spectre variant 1 vulnerability.
+
+This issue was detected with the help of Smatch:
+
+  drivers/pci/switch/switchtec.c:912 ioctl_port_to_pff() warn: potential spectre issue 'pcfg->dsp_pff_inst_id' [r]
+
+Fix this by sanitizing p.port before using it to index
+pcfg->dsp_pff_inst_id
+
+Notice that given that speculation windows are large, the policy is to kill
+the speculation on the first load and not worry if it can be completed with
+a dependent load/store [1].
+
+[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
+
+Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
+Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
+Acked-by: Logan Gunthorpe <logang@deltatee.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/pci/switch/switchtec.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/pci/switch/switchtec.c
++++ b/drivers/pci/switch/switchtec.c
+@@ -14,6 +14,8 @@
+ #include <linux/poll.h>
+ #include <linux/wait.h>
+ 
++#include <linux/nospec.h>
++
+ MODULE_DESCRIPTION("Microsemi Switchtec(tm) PCIe Management Driver");
+ MODULE_VERSION("0.1");
+ MODULE_LICENSE("GPL");
+@@ -909,6 +911,8 @@ static int ioctl_port_to_pff(struct swit
+ 	default:
+ 		if (p.port > ARRAY_SIZE(pcfg->dsp_pff_inst_id))
+ 			return -EINVAL;
++		p.port = array_index_nospec(p.port,
++					ARRAY_SIZE(pcfg->dsp_pff_inst_id) + 1);
+ 		p.pff = ioread32(&pcfg->dsp_pff_inst_id[p.port - 1]);
+ 		break;
+ 	}